UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The ALG must generate unique session identifiers using a FIPS 140-2 approved random number generator.


Overview

Finding ID Version Rule ID IA Controls Severity
V-54621 SRG-NET-000234-ALG-000116 SV-68867r1_rule Medium
Description
Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session identifiers helps to protect against brute-force attacks to determine future session identifiers. This requirement is applicable to ALGs that create and use sessions and session identifiers to control user communications. If an attacker can guess the session identifier, or can inject or manually insert session information, the valid user's application session can be compromised.
STIG Date
Application Layer Gateway Security Requirements Guide 2014-11-03

Details

Check Text ( C-55241r1_chk )
Verify the ALG generates unique session identifiers using a FIPS 140-2 approved random number generator.

If the ALG does not generate unique session identifiers using a FIPS 140-2 approved random number generator, this is a finding.
Fix Text (F-59477r1_fix)
Configure ALG to generate unique session identifiers using a FIPS 140-2 approved random number generator.